From owner-freebsd-hackers@freebsd.org Wed Jan 27 23:55:19 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26877A703DA for ; Wed, 27 Jan 2016 23:55:19 +0000 (UTC) (envelope-from asomers@gmail.com) Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E52FB315 for ; Wed, 27 Jan 2016 23:55:18 +0000 (UTC) (envelope-from asomers@gmail.com) Received: by mail-ob0-x22f.google.com with SMTP id vt7so21897120obb.1 for ; Wed, 27 Jan 2016 15:55:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=OYF1ownZEmvvEbToszBAHFZ5XQ2RqiI7IKjV4E8wMl8=; b=zR4JNvyk8/o1ZD/bac0sVE3CnYa1AmI3AJ27fbvYf3L7vqcbl9ZITn08bgUkB0O7pZ u0VxVbI1dd2FQptk2T3XxzYKrhDCufUzfRPxjs04KSIrNgYR+G4MesJAih9q/Kg/rmBg hIFUCik1MGh8nTo2K/4eqjENvmz+xDimvlqiparGsGBvlIbEOWqXCMjL7neg+CCZUpc+ PLac6WTjBtC8CSfuYYhp4rbBrDGf57X7LL4Dzh909pC4kPjJx4eVChYmdRz/RSmdAO6b 4XcIYuQ80OjE+SZHJLEUk6DychWWjRGw1rkbVv2UlqLIu5utMESvF3/VvdCCzYPLtQ/2 9x6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to:content-type; bh=OYF1ownZEmvvEbToszBAHFZ5XQ2RqiI7IKjV4E8wMl8=; b=SNsgh0sze44Bk7Wg/eztF6CZ0V5L7yTSyRVYqxf/zQtBEHDTQm8A0AUVVmABwxyg// 38RobrHiN6odNJCRClhJW7rbRi2EcPsoC9qEF6ia8vy42Uqxkzd1CLj1SDm1RYyQq7p2 x9SnFJSP+PLXaMuHFGhFS565kQo1lk20Y6jxNh9X1K1rJpJxRVHZNcvmOGogHkpltuBX qyV9J50AwcDaWT6HAiSG0lfCWm5LypbvDgOIg6yhtJ8pjSNTTvYHsixvQBUybUTEZprH spR7qMoSb7PM05MW8cVTM6SQubJiaEDU9+1+wq4yECI3LnsgklYKHAgTM0BqX0rm8rz/ iZ1A== X-Gm-Message-State: AG10YORn/+BIle2J+7RsWHPseJ2A2cvZj7sbBjVvCq59zilTkQFcTWoUz2dtphzGNJ21lmti2MusTgF7MPq2PQ== MIME-Version: 1.0 X-Received: by 10.182.79.103 with SMTP id i7mr24128291obx.41.1453938918147; Wed, 27 Jan 2016 15:55:18 -0800 (PST) Sender: asomers@gmail.com Received: by 10.202.69.86 with HTTP; Wed, 27 Jan 2016 15:55:18 -0800 (PST) Date: Wed, 27 Jan 2016 16:55:18 -0700 X-Google-Sender-Auth: 3aqQGa4zbeN03QlNzPXEHbcBMIc Message-ID: Subject: aesni doesn't play nice with krb5 From: Alan Somers To: "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jan 2016 23:55:19 -0000 I'm experimenting with Kerberized NFS, but my performance sucks when I use krb5p. I tracked the problem down to an interaction between aesni and krb5: aes_set_key in kcrypto_aes.c registers for a crypto session and requests support for two algorithms: CRYPTO_SHA1_HMAC and CRYPTO_AES_CBC. aesni(4) supports the latter, but not the former. So crypto_select_driver returns cryptosoft and krb5 uses software for both algorithms. It's too bad that aesni doesn't support SHA1, but other software like OpenSSL deals with it by using hardware for AES and software for SHA1. It seems to me like krb5 could be made to do the same by registering for two sessions, one for each algorithm. In fact, it seems like it would be pretty easy to do. The changes would probably be confined strictly to crypto_aes.c. Is there any reason why this wouldn't work? -Alan